WEBVERSE

Loading...

hardReflected XSSPro

Fieldnote

A research tool checks that shared URLs 'contain http'. They really ought to check more.

Unlock with Pro

The Scenario

Fieldnote is a journaling app for field biologists. Colleagues paste links to related papers or references and share them via a /share?u= URL. The filter is one line — if the URL doesn't contain 'http', replace it with a safe default. The filter author didn't think about what 'contains' actually means.

Challenge Intel

Synopsis

The filter wants to see 'http'. Give it 'http' — somewhere harmless.

What It Is

A Flask share page with a substring-based URL filter and an href reflection.

Who It's For

Someone comfortable with several XSS contexts and ready for a filter-specific bypass.

Skills You'll Practice

  • javascript: URL construction
  • Comment-tail tricks (//http) to satisfy substring filters
  • Reasoning about URL scheme parsing vs. regex filtering

What You'll Gain

  • Understanding URL parsing is spec-driven, not regex-driven
  • A reliable technique for substring-filter bypass

Ready to hack Fieldnote?

Upgrade to Pro to unlock this challenge and the full library.

View Pro Plans